By NHI Mgmt Group Editorial TeamPublished 2026-06-25Domain: Best PracticesSource: Gurucul

TL;DR: Supply-chain attacks are evolving from isolated package compromise into multi-ecosystem credential theft, CI/CD abuse, and malicious publication across GitHub, npm, PyPI, RubyGems, and cloud secrets stores, according to Gurucul's analysis of the Shai-Hulud cluster. The decisive issue is not just compromise but the collapse of trust in developer identities, repository workflows, and secrets governance.


At a glance

What this is: This analysis tracks how Shai-Hulud evolved from package compromise into a modular supply-chain worm that harvests credentials and propagates across developer ecosystems.

Why it matters: It matters because IAM, NHI, and PAM teams now have to govern developer credentials, CI/CD identities, and cloud secrets as one attack surface rather than separate control domains.

By the numbers:

👉 Read Gurucul's analysis of the Shai-Hulud supply-chain threat evolution


Context

Shai-Hulud is a supply-chain threat pattern in which compromised developer tooling, package registries, and CI/CD workflows are used to steal secrets and spread laterally across software ecosystems. In IAM terms, the risk is not confined to one stolen credential type. It spans repository access, package publishing rights, cloud secret stores, and workflow identities that were trusted to execute code on behalf of developers.

The article shows a shift from single-package compromise toward automated propagation that blends into normal development activity. That is why NHI governance now has to cover developer tokens, short-lived cloud credentials, SSH keys, and workflow permissions together, instead of treating them as isolated hygiene problems.


Key questions

Q: What breaks when malicious workflows can read repository secrets in CI/CD pipelines?

A: The security model breaks when build automation can access secrets that were never intended for release-time use. Malicious workflows can enumerate secret contexts, export credentials into artifacts, and blend exfiltration into normal pipeline activity. That turns trusted CI/CD into an identity abuse channel, so repository permissions and workflow controls need to be governed together.

Q: Why do supply-chain attacks increasingly target developer identity and secret stores together?

A: Because package compromise alone is rarely enough for durable access. Attackers gain much more when PATs, SSH keys, cloud secrets, and CI/CD tokens are harvested in the same campaign, since each credential type can unlock a different ecosystem. This is why identity governance must cover developers, pipelines, and secret platforms as one attack surface.

Q: What do security teams get wrong about secrets management in software supply chains?

A: They often treat secrets management as storage hygiene instead of runtime identity control. The real failure is not only where a secret sits, but who can reach it from repositories, endpoints, and pipelines. If those access paths are not monitored together, leaked credentials become reusable footholds across multiple ecosystems.

Q: How should teams respond when a package ecosystem starts showing repeated credential theft?

A: They should assume the attacker is pursuing propagation, not a one-off compromise. Prioritise revocation of exposed credentials, review workflow and publishing permissions, and inspect repository mutation history for signs of cross-ecosystem spread. The fastest containment comes from cutting identity reuse paths before the malware can recurse into new environments.


Technical breakdown

Repository-centric propagation in supply-chain malware

Shai-Hulud and related campaigns use repository compromise as a launch point for broader propagation. Once attackers gain write access to a GitHub repository, they can inject malicious workflows, alter package metadata, and trigger downstream execution in environments that trust the repository as an authenticated source. The key technical shift is that the repository becomes both the delivery mechanism and the trust anchor. That collapses the line between source control, build automation, and identity enforcement, especially when workflow runners can reach secrets contexts and publishing credentials.

Practical implication: lock down repository write paths and treat workflow-file changes as identity events, not just code changes.

Credential harvesting across developer and cloud secret stores

The Miasma architecture described in the article separates credential collection, validation, exfiltration, and propagation into modular providers. That design allows it to search across AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, Kubernetes secrets, HashiCorp Vault, local credential files, and package-manager tokens. This is a classic secrets-blindness problem: the attacker is not limited to a single app or environment. The same identity material can be harvested from source control, endpoints, and cloud secret platforms, then reused for package publication or lateral movement.

Practical implication: unify visibility across secret stores, developer endpoints, and package credentials so one compromise does not become many.

GitHub Actions abuse as a secrets-exfiltration channel

The article describes injected workflows that enumerate repository secrets and export them into artifacts. That matters because GitHub Actions provides a legitimate execution and storage path, so exfiltration can look like ordinary CI output unless defenders inspect workflow provenance and artifact behaviour. The problem is not only theft of secrets. It is the abuse of platform-native mechanisms to avoid traditional command-and-control patterns, which makes detection harder and shifts the defense burden toward identity-aware CI/CD monitoring.

Practical implication: monitor workflow modifications, artifact creation, and unusual secret-context access as first-class identity signals.


Threat narrative

Attacker objective: The attacker aims to turn trusted development infrastructure into a reusable propagation engine for credential theft, package compromise, and cross-ecosystem persistence.

  1. Entry begins with compromised package or repository access that lets the attacker seed malicious code into trusted developer pipelines.
  2. Escalation occurs when the malware harvests PATs, npm tokens, SSH keys, cloud credentials, and CI/CD secrets for reuse across ecosystems.
  3. Impact follows when those credentials are used to publish malicious packages, inject workflows, and propagate into downstream repositories and cloud identities.

Read our 52 NHI Breaches Analysis report for a comprehensive view of breaches impacting Non-Human Identities including AI Agents.


NHI Mgmt Group analysis

Shai-Hulud exposes an identity blast radius problem, not just a malware problem. Once repository access, package publishing rights, CI/CD workflow permissions, and cloud secrets are all part of the same attack surface, traditional point controls stop describing the threat accurately. The attack succeeds by moving laterally through trusted identity relationships, not by exploiting one isolated vulnerability. Practitioners need to think in terms of identity blast radius rather than single-credential compromise.

Secrets management and developer workflow governance have collapsed into the same control plane. The article shows credential harvesting from secret stores, local files, repositories, and workflow artifacts as one continuous abuse chain. That means board-level separation between AppSec, cloud security, and IAM is increasingly artificial. The practical conclusion is that lifecycle, rotation, and access review processes must cover developer identities and machine identities together.

CI/CD trust assumptions were designed for signed intent, not autonomous propagation of credential theft. GitHub Actions and similar systems assume workflows execute because a trusted change was made and that artifacts reflect benign build activity. That assumption fails when the workflow itself is weaponised to search for secrets and export them for reuse. The implication is that pipeline trust can no longer be inferred from repository legitimacy alone.

Credential-centric supply-chain attacks are now modular enough to be reused across ecosystems. The Miasma architecture separates collection, validation, exfiltration, and mutation, which makes the threat portable across npm, PyPI, RubyGems, GitHub, and cloud services. That portability raises the value of cross-domain governance over any single-tool defense. Security teams should expect the next campaign to reuse the same identity mechanics in a different package ecosystem.

The strongest defensive signal is not package malware alone but anomalous identity behaviour across build and secret systems. The article's detection guidance points to unusual PAT use, secret-manager spikes, workflow file changes, and unauthorised package publication. That is a governance signal, not a pure endpoint signal. Security teams should fuse identity telemetry, CI/CD telemetry, and secret-store access into one detection model.

From our research:

  • The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
  • Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
  • That gap is why our The 52 NHI breaches Report remains relevant for teams mapping how leaked credentials turn into sustained access.

What this signals

Identity blast radius is the right concept for this threat class: a single compromised developer credential can now reach repositories, package registries, workflow runners, and cloud secret stores. As supply-chain attacks become more modular, IAM teams need one control view across build systems and secrets platforms, not separate reports for each domain.

The operational signal is straightforward. If your programme cannot correlate repository changes, secret-store reads, and package publication events in the same detection pipeline, it is already behind the propagation model described here. The next step for practitioners is to anchor those controls in the OWASP Non-Human Identity Top 10 and related CI/CD trust guidance.

With 43% of security professionals concerned about AI systems learning and reproducing sensitive information patterns from codebases, the risk is expanding beyond credential theft into pattern leakage. That makes secret hygiene, repository governance, and developer telemetry part of the same programme decision, not separate workstreams.


For practitioners

  • Treat workflow-file changes as identity events Require review and alerting for any modification to GitHub Actions or similar pipeline definitions, because injected workflows are a primary exfiltration path. Pair repository governance with approval controls for workflow files and watch for new artifact behaviour after changes.
  • Unify visibility across secret stores and developer endpoints Correlate access to AWS Secrets Manager, Azure Key Vault, GCP Secret Manager, local credential files, and package-manager tokens so one credential-harvesting event cannot hide inside separate control planes. Add this to the same monitoring queue as unusual repository write activity.
  • Reduce standing trust in package publication paths Separate package-publishing rights from day-to-day developer access, and require task-scoped approval for npm, PyPI, and RubyGems release credentials. The goal is to keep a stolen token from becoming a repeatable propagation mechanism.
  • Alert on secret-context access inside CI/CD artifacts Monitor for workflow steps that enumerate repository secrets, create unexpected artifacts, or access secret contexts without a matching release event. Investigate any artifact-based exfiltration as an identity abuse case, not just a build anomaly.

Key takeaways

  • Shai-Hulud demonstrates that supply-chain compromise now behaves like an identity propagation problem across repositories, pipelines, and cloud secrets.
  • Credential harvesting across PATs, SSH keys, cloud secrets, and CI/CD tokens creates far more durable access than package compromise alone.
  • Teams that correlate workflow changes, secret-store access, and package publication will detect this class earlier than teams relying on package scanning alone.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 address the attack and risk surface, while NIST CSF 2.0 and NIST Zero Trust (SP 800-207) set the governance and control requirements practitioners need to meet.

FrameworkControl / ReferenceRelevance
OWASP Non-Human Identity Top 10NHI-01Covers secret exposure and credential misuse across developer ecosystems.
NIST CSF 2.0PR.AC-4Least-privilege and access governance are central to repository and CI/CD abuse.
NIST Zero Trust (SP 800-207)PR.AC-5Trusted relationships between workflows, repositories, and cloud identities need continuous verification.

Apply continuous verification to CI/CD trust paths instead of assuming repository legitimacy implies safe execution.


Key terms

  • Identity Blast Radius: The total set of systems, workflows, and secrets an identity can reach if it is compromised or misused. In supply-chain environments, this includes repositories, package registries, CI/CD runners, and cloud secret stores that trust the same credential or workflow identity.
  • CI/CD Identity Abuse: Misuse of pipeline identities, workflow permissions, or build artifacts to execute attacker-controlled actions. This usually looks like legitimate automation, but the goal is to steal secrets, alter code, or extend access through trusted build infrastructure.
  • Credential-Centric Propagation: A supply-chain pattern where stolen credentials, not just malicious code, drive expansion into new environments. The attacker reuses tokens, keys, and secrets to move across ecosystems, which makes identity controls as important as package scanning.

What's in the full report

Gurucul's full blog covers the operational detail this post intentionally leaves for the source:

  • Sequence-level analysis of the Shai-Hulud and Miasma execution workflow, including provider initialization and mutation stages.
  • MITRE ATT&CK mapping for repository compromise, credential access, artifact exfiltration, and trusted relationship abuse.
  • Detection opportunities across GitHub, cloud secret managers, endpoints, and identity telemetry with concrete indicators.
  • Indicators of compromise and file hashes that implementation teams can use for hunting and triage.

👉 Gurucul's full blog covers the attack flow, credential-harvesting methods, and detection opportunities in more detail.

Deepen your knowledge

NHI governance, agentic AI identity, and machine identity lifecycle are core topics in our NHI Foundation Level course, the industry's only accredited NHI security programme. If you are responsible for identity security strategy or NHI governance in your organisation, it is worth exploring.
NHIMG Editorial Note
Published by the NHIMG editorial team on 2026-06-25.
NHI Mgmt Group — the independent authority on Non-Human Identity, IAM, and Agentic AI security. nhimg.org